- •Credits
- •About the Author
- •About the Reviewers
- •www.PacktPub.com
- •Table of Contents
- •Preface
- •Introduction
- •Shortest setup possible
- •OpenVPN secret keys
- •Multiple secret keys
- •Plaintext tunnel
- •Routing
- •Configuration files versus the command-line
- •Complete site-to-site setup
- •3-way routing
- •Introduction
- •Setting up the public and private keys
- •Simple configuration
- •Server-side routing
- •Routing: subnets on both sides
- •Redirecting the default gateway
- •Using an 'ifconfig-pool' block
- •Using the status file
- •Management interface
- •Proxy-arp
- •Introduction
- •Simple configuration—non-bridged
- •Enabling client-to-client traffic
- •Bridging—Linux
- •Bridging—Windows
- •Checking broadcast and non-IP traffic
- •External DHCP server
- •Using the status file
- •Management interface
- •Introduction
- •Certificate generation
- •xCA: a GUI for managing a PKI (Part 1)
- •xCA: a GUI for managing a PKI (Part 2)
- •OpenSSL tricks: x509, pkcs12, verify output
- •Revoking certificates
- •The use of CRLs
- •Checking expired/revoked certificates
- •Intermediary CAs
- •Multiple CAs: stacking, using --capath
- •Introduction
- •Initializing a hardware token
- •Getting a hardware token ID
- •Using a hardware token
- •Selecting a PKCS#11 certificate using the management interface
- •Generating a key on the hardware token
- •Private method for getting a PKCS#11 certificate
- •Pin caching example
- •Introduction
- •Using a client-side up/down script
- •Windows login greeter
- •Using client-connect/client-disconnect scripts
- •Using a 'learn-address' script
- •Using a 'tls-verify' script
- •Using an 'auth-user-pass-verify' script
- •Script order
- •Script security and logging
- •Using the 'down-root' plugin
- •Using the PAM authentication plugin
- •Introduction
- •Cipher mismatches
- •TUN versus TAP mismatches
- •Compression mismatches
- •Key mismatches
- •Troubleshooting MTU and tun-mtu issues
- •Troubleshooting network connectivity
- •How to read the OpenVPN log files
- •Introduction
- •The missing return route
- •Missing return routes when 'iroute' is used
- •Source routing
- •Routing and permissions on Windows
- •Troubleshooting client-to-client traffic routing
- •Understanding the 'MULTI: bad source' warnings
- •Failure when redirecting the default gateway
- •Introduction
- •Optimizing performance using 'ping'
- •OpenSSL cipher speed
- •Compression tests
- •Traffic shaping
- •Tuning UDP-based connections
- •Tuning TCP-based connections
- •Analyzing performance using tcpdump
- •Introduction
- •Linux: using NetworkManager
- •MacOS: using Tunnelblick
- •Windows Vista/7: elevated privileges
- •Windows: using the CryptoAPI store
- •Windows: updating the DNS cache
- •Windows: running OpenVPN as a service
- •Windows: public versus private network adapters
- •Windows: routing methods
- •Introduction
- •Including configuration files in config files
- •Details of ifconfig-pool-persist
- •Connecting using a SOCKS proxy
- •Connecting via an HTTP proxy
- •Connecting via an HTTP proxy with authentication
- •Using dyndns
- •IP-less setups (ifconfig-noexec)
- •Introduction
- •Inline certificates
- •Connection blocks
- •Port sharing with an HTTPS server
- •Routing features: redirect-private, allow-pull-fqdn
- •OCSP support
- •New for 2.2: the 'x509_user_name' parameter
- •Index
Table of Contents
Preface |
1 |
Chapter 1: Point-to-Point Networks |
7 |
Introduction |
7 |
Shortest setup possible |
8 |
OpenVPN secret keys |
10 |
Multiple secret keys |
12 |
Plaintext tunnel |
15 |
Routing |
16 |
Configuration files versus the command-line |
20 |
Complete site-to-site setup |
22 |
3-way routing |
25 |
Chapter 2: Client-server IP-only Networks |
31 |
Introduction |
31 |
Setting up the public and private keys |
32 |
Simple configuration |
38 |
Server-side routing |
40 |
Using 'client-config-dir' files |
46 |
Routing: subnets on both sides |
49 |
Redirecting the default gateway |
52 |
Using an 'ifconfig-pool' block |
54 |
Using the status file |
59 |
Management interface |
63 |
Proxy-arp |
65 |
Chapter 3: Client-server Ethernet-style Networks |
69 |
Introduction |
69 |
Simple configuration—non-bridged |
70 |
Enabling client-to-client traffic |
74 |
Bridging—Linux |
78 |
Table of Contents |
|
|
|
|
|
Bridging—Windows |
83 |
|
Checking broadcast and non-IP traffic |
86 |
|
External DHCP server |
90 |
|
Using the status file |
95 |
|
Management interface |
98 |
|
Chapter 4: PKI, Certificates, and OpenSSL |
103 |
|
Introduction |
103 |
|
Certificate generation |
104 |
|
xCA: a GUI for managing a PKI (Part 1) |
106 |
|
xCA: a GUI for managing a PKI (Part 2) |
108 |
|
OpenSSL tricks: x509, pkcs12, verify output |
112 |
|
Revoking certificates |
114 |
|
The use of CRLs |
116 |
|
Checking expired/revoked certificates |
118 |
|
Intermediary CAs |
120 |
|
Multiple CAs: stacking, using --capath |
122 |
|
Chapter 5: Two-factor Authentication with PKCS#11 |
127 |
|
Introduction |
127 |
|
Initializing a hardware token |
128 |
|
Getting a hardware token ID |
131 |
|
Using a hardware token |
133 |
|
Using the management interface to list PKCS#11 certificates |
136 |
|
Selecting a PKCS#11 certificate using the management interface |
139 |
|
Generating a key on the hardware token |
142 |
|
Private method for getting a PKCS#11 certificate |
146 |
|
Pin caching example |
148 |
|
Chapter 6: Scripting and Plugins |
153 |
|
Introduction |
153 |
|
Using a client-side up/down script |
154 |
|
Windows login greeter |
158 |
|
Using client-connect/client-disconnect scripts |
161 |
|
Using a 'learn-address' script |
165 |
|
Using a 'tls-verify' script |
168 |
|
Using an 'auth-user-pass-verify' script |
171 |
|
Script order |
174 |
|
Script security and logging |
177 |
|
Using the 'down-root' plugin |
180 |
|
Using the PAM authentication plugin |
183 |
ii
|
Table of Contents |
|
|
Chapter 7: Troubleshooting OpenVPN: Configurations |
187 |
Introduction |
187 |
Cipher mismatches |
188 |
TUN versus TAP mismatches |
189 |
Compression mismatches |
191 |
Key mismatches |
193 |
Troubleshooting MTU and tun-mtu issues |
195 |
Troubleshooting network connectivity |
197 |
Troubleshooting 'client-config-dir' issues |
198 |
How to read the OpenVPN log files |
201 |
Chapter 8: Troubleshooting OpenVPN: Routing |
207 |
Introduction |
207 |
The missing return route |
208 |
Missing return routes when 'iroute' is used |
211 |
All clients function except the OpenVPN endpoints |
214 |
Source routing |
217 |
Routing and permissions on Windows |
220 |
Troubleshooting client-to-client traffic routing |
222 |
Understanding the 'MULTI: bad source' warnings |
225 |
Failure when redirecting the default gateway |
227 |
Chapter 9: Performance Tuning |
233 |
Introduction |
233 |
Optimizing performance using 'ping' |
234 |
Optimizing performance using 'iperf' |
236 |
OpenSSL cipher speed |
239 |
Compression tests |
241 |
Traffic shaping |
244 |
Tuning UDP-based connections |
246 |
Tuning TCP-based connections |
249 |
Analyzing performance using tcpdump |
253 |
Chapter 10: OS Integration |
255 |
Introduction |
255 |
Linux: using NetworkManager |
256 |
Linux: using 'pull-resolv-conf' |
260 |
MacOS: using Tunnelblick |
262 |
Windows Vista/7: elevated privileges |
266 |
Windows: using the CryptoAPI store |
269 |
Windows: updating the DNS cache |
273 |
iii
Table of Contents |
|
|
|
|
|
Windows: running OpenVPN as a service |
275 |
|
Windows: public versus private network adapters |
280 |
|
Windows: routing methods |
282 |
|
Chapter 11: Advanced Configuration |
285 |
|
Introduction |
285 |
|
Including configuration files in config files |
286 |
|
Multiple remotes and remote-random |
288 |
|
Details of ifconfig-pool-persist |
291 |
|
Connecting using a SOCKS proxy |
294 |
|
Connecting via an HTTP proxy |
297 |
|
Connecting via an HTTP proxy with authentication |
300 |
|
Using dyndns |
303 |
|
IP-less setups (ifconfig-noexec) |
306 |
|
Chapter 12: New Features of OpenVPN 2.1 and 2.2 |
311 |
|
Introduction |
311 |
|
Inline certificates |
312 |
|
Connection blocks |
314 |
|
Port sharing with an HTTPS server |
317 |
|
Routing features: redirect-private, allow-pull-fqdn |
319 |
|
Handing out the public IPs |
322 |
|
OCSP support |
325 |
|
New for 2.2: the 'x509_user_name' parameter |
328 |
|
Index |
331 |
iv